Professional Documents
Culture Documents
Risk - GRC - Process Workshop Presentation - Paris
Risk - GRC - Process Workshop Presentation - Paris
(GRC)
Process Implementation Workshop
Speaker Name
Date
• Ref: 0001575
Implementation Guiding Principles
• Workshop participants are selected to be champions for the new process – you are the agents for change!
• Make clear decisions on design during the workshop. All requirements will be captured as stories in
ServiceNow.
• Participants represent their respective areas. The Customer’s Audit Management Process Owner
commonly has final power of veto.
• Items not resolved in the time available in the workshop will go on a Parking Lot list for resolution post
workshop. All Parking Lot items, and their agreed solutions will be documented in ServiceNow.
Requirements Review
• Run through of users stories documented to
Break 1hr date 0.5hr
Next Steps
Requirements Review
• Run through draft user stories
Risk Management Structure and Architecture 1hr documented on Day 2 1hr
Next Steps
Advanced Risk feature demo 0.5hr Risk Roles and Responsibilities 0.5hr
Risk Events
• Risk Events, Risk Event State flow, Risk Event
Response Template
• Risk Event catalog item 2hrs Advanced Risk Dashboards 0.5hr
• Risk Event integration
Requirements Review
• Run through draft user stories
Break 0.75hr documented on Day 2 0.5hr
Next Steps
Requirements Review
Audit Management Structure • Run through of user stories documented on Day
• Engagements, Test templates, Audit Tasks, Test 1.5hr 3 1hr
templates, Control tests
Next Steps
Specific ACTIVITIES
Designed to ENSURE
• Multiple Audits
• Redundant tests
• Repetitive evidence gathering
The Solution
A consolidated list of controls that maps to all of your regulatory
and operational requirements. This is accomplished via the IT UCF
which is available in Fuji. This allows for “test once, comply
many.”
IT Service Management
Incident Management Change Management
• In ServiceNow, Citation records are the specific requirements cited by an Authoritative Document.
• The Citation record is what connects the Authoritative Document to its applicable control(s).
Awaiting
Draft Review Published Retired
Approval
Policy Acknowledgment
Acknowledgment Setup
Campaign
Policy, Policy Owner,
Audience, Reference
Material URL
Reference Decline?/
Audience Request
Policy and Policy Valid from and Response Audience &
Material URL Create Owner Valid to expected by Reference
Exception? Acknowledgment Material URL
Campaign
Policy Acknowledgment
Acknowledgments
Campaign
Policy, Reference
Material URL, Due Date
Status:
Policy and Policy Valid from and Response Audience & Reference Accepted
Send Policy Due Date
Owner Valid to expected by Reference Material URL: Declined
Acknowledgments Exception-
Material URL Requested
Exempted
• Provides customers the ability to define a hierarchy of policies, control objectives, procedures, plans,
standards, etc. to help define, measure and attain their business, operational and IT objectives
• The new hierarchical structure allows control objectives to be related to more than one policy
• Example
– Company IT security policy
• AMS IT security policy
• EMEA IT security policy
• APAC IT security policy
• Calculate compliance scores across the hierarchy of policies and roll it up to the parent level policy
• Provides temporary relief for control owners unable to meet compliance requirements due to
extraordinary situations
– e.g. inability to meet a control objective/control that stipulates that all critical servers OS’ be patched within 48 hours after OS
vendor releases patches as some servers are off-line for a limited period of time
• Allows exceptions to be requested for a specific Policy, Control Objectives (controls) and Issues
– Request exceptions from the GRC application (GRC users)
– Request exceptions from the GRC service catalog (non-GRC users)
• Helps Compliance and Risk Managers to assess risk from potentially granting an exception prior to
approving one
• Also provides a logical link to risk handling/treatment (Accept/Mitigate/Reject) as part of the exception
process
• Can be leveraged from within other applications (Vulnerability Response)
Policy
Policy, Control
Controls Issue Objective and issue are
related
Reject/Closed
Reject/Closed
Request When a extension is Approver and watch list Inform the approver and users in the
Extension(approver) requested users watch list an extension has been
requested
Notify watchlist new When a comment is added in Watch list users Inform the users in the watch list a
content the activity field comment has been added
Policy exception When a policy exception is Requester and the Inform the requester and the approver
closed closed approver the policy exception has been closed
Notify approver for When a policy exception Approver Inform the approver the policy
review state moves to review exception moved to review state
Notify requester When a policy exception Requester and the Inform the requester and the watch list
extension approved extension request is watch list users users the policy exception extension
approved request has been approved
Notify requester When a policy exception Requester and the Inform the requester and the watch list
extension rejected extension request is rejected watch list users users the policy exception extension
request has been rejected
Notify to policy When a policy exception Approval group Inform the approval group members a
exception assign approval is requested, or the members policy exception approval is requested
group approval group changes by one of the approval group member
Notify requester When a compliance manager Requester and watch Inform the requester and watch list
more info needed or the approver request more list users users more information is needed to
information approve or reject the policy exception
Notify watchlist for When a compliance manager Watch list users Inform the watch list users a business
BU approval or the approver request a owner will have to approve or reject
business owner approval the policy exception
Requester provided When the requester send Approver and watch list Inform the approver and watch list
more information back the information users users the requester has provided some
42
information © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
Controls
• Controls are the actual control activities that are to be performed by your organization. Control records
include basic required information about the control (e.g., control owner, control activity, frequency,
etc.).
• A recurring risk and compliance management process that helps an organization maintain an optimal
security stance based on a sound IT security policy
• Enables customers to continuously monitor, validate compliance and manage risk to:
– Specific IT security policies – e.g. organizational IT security policy
– Industry standards – e.g. PCI, NERC CIP
– Regulations – SOX, HIPAA
– Best practices – CoBIT, NIST 800-53
• Requires the Configuration Compliance plugin
• Define a typical IT GRC policy and control objectives (controls) therein; this will typically include
technical controls, procedural or manual controls, surveys and self-assessments
• Map control objectives that are configuration-related to associated configuration tests in Configuration
Compliance to set up a continuous compliance validation routine
• Assess overall compliance posture to policy by continuously monitoring compliance to technical and
procedural controls; generate issues
• Understand overall effect on risk from policy violations
• Define remediation tasks for issues and drive remediation through GRC and Configuration Compliance
to return non-compliant controls to compliance
• Maintain a continuous monitoring loop to ensure an optimal compliance stance
– Monitor Assess Measure Remediate
• Configuration compliance and GRC are mapped via control objective and configuration tests
Test results
Test results update
triggers an event Indicator Issue
Indicator fails when Issue is created when
test result fails indicator fails
Note: for phase one look to tailor attestation and create one template
Compliance Compliance
Compliance User
Admin Manager
Day 2 - Risk
Speaker Name
Speaker Title
Risk Management
Risk Management ensures that risks with the potential to negatively impact IT and the Business are identified and
treated.
Risk Identification Control Selection Control Design Control Implementation Control Testing &
& Prioritization Remediation
The process through which management identifies and analyzes the threats and vulnerabilities that might
adversely affect realization of the organization’s business objectives.
• Flood/Tsunami
• Windstorm/Tornado
• Power Loss
Optimal Business
Sub Optimal
Service
• Starts with Business • No risk assessment at all
Service Assessment • Is not driven by business
IT Service
• Then identifies the criticality
supporting IT Services • Treats all IT Services
• Quantifies what is Application Database Equally
important • Control Framework
• Identifies all of the Server Virtual Server
Checklist
components that make up • Doesn’t identify all of the
the service individual components of a
Physical
• Has meaningful risk Datacenter 1
Server Service
statements • Doesn’t prioritize risk
• Quantifies the Risk Datacenter 2
Monitoring &
Risk Assessment Risk Response
Reporting
Risk Identification & Control Selection Control Design Control Implementation Control Testing &
Prioritization Remediation
Internal Control Framework
Policy, Standards, Procedures
Organization Structure
• A Process by which a risk that has been determined following a formal risk assessment is dispositioned
or treated
• Can be done as part of an independent risk assessment or as part of a policy exception that may require a
risk assessment followed by a risk acceptance process
• A risk manager will have to figure out what needs to be done to address the risk. Options include:
– Mitigate
– Accept
– Avoid
– Transfer
• Risk manager completes a risk assessment and needs a way to handle/treat the risk
• GRC user seeks a policy exception for which a compliance manager refers the exception request for a
formal risk assessment to be followed by a risk acceptance process if required
• The risk determined needs to be dispositioned in one of the following ways
– Mitigate the risk Action: Deploy mitigating control(s)
– Accept the risk Action: Business owner understands and signs off on the risk
– Avoid the risk Action: Reject the risk and deploy measure(s) to avoid risk
– Transfer the risk Action: Transfer risk to another party or entity
• Requirements discussion:
Review next slides on two types of scorings, and decide which one you want to use
• grc_audit_reader
• grc_control_test_reader
• task_editor
• task_editor
• certification_admin
• grc_test_definition_admin
• grc_control_test_reader
• assessment_admin
• grc_compliance_reader
Risk Roles
Risk manager
• task_editor
• certification_admin
• grc_test_definition_admin
• grc_control_test_reader
• assessment_admin
• certification
• grc_compliance_reader
95 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
• certification_filter_admin
Risk Roles
Risk admin
• task_editor
• certification_admin
• grc_test_definition_admin
96 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
• grc_control_test_reader
Dashboard – Risk Overview
Speaker Name
Speaker Title
Risk Management
Risk Management ensures that risks with the potential to negatively impact IT and the Business are identified and
treated.
Risk Identification Control Selection Control Design Control Implementation Control Testing &
& Prioritization Remediation
• Risk events are potential or actual financial and non-financial losses, near misses, and gains that occur
within an organization.
• Risk event can be created using either the Service Portal or your ServiceNow instance.
Awaiting
New Analyze Approved Closed Rejected
Approval
• Risk event response template automates the process of adding approvers, issues, and owners to a risk
event based on the conditions defined in the templates.
• Users can also define the threshold amount for approvers for a risk event.
• Template can be defined for any entity and all the child entities inherit the rules defined in the risk event
response templates.
• Inherent Assessment
• Control Effectiveness Assessment
• Residual Assessment
• A Process by which a risk that has been determined following a formal risk assessment is dispositioned
or treated
• Can be done as part of an independent risk assessment or as part of a policy exception that may require a
risk assessment followed by a risk acceptance process
• A risk manager will have to figure out what needs to be done to address the risk. Options include:
– Mitigate
– Accept
– Avoid
– Transfer
• Risk manager completes a risk assessment and needs a way to handle/treat the risk
• GRC user seeks a policy exception for which a compliance manager refers the exception request for a
formal risk assessment to be followed by a risk acceptance process if required
• The risk determined needs to be dispositioned in one of the following ways
– Mitigate the risk Action: Deploy mitigating control(s)
– Accept the risk Action: Business owner understands and signs off on the risk
– Avoid the risk Action: Reject the risk and deploy measure(s) to avoid risk
– Transfer the risk Action: Transfer risk to another party or entity
• grc_audit_reader
• grc_control_test_reader
• task_editor
• task_editor
• certification_admin
• grc_test_definition_admin
• grc_control_test_reader
• assessment_admin
• grc_compliance_reader
Risk Roles
Risk manager
• task_editor
• certification_admin
• grc_test_definition_admin
• grc_control_test_reader
• assessment_admin
• certification
• grc_compliance_reader
136 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
• certification_filter_admin
Risk Roles
Risk admin
• task_editor
• certification_admin
• grc_test_definition_admin
137 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
• grc_control_test_reader
Dashboard - Overview
Day 4 - Audit
Speaker Name
Speaker Title
The Audit Process
Monitoring &
Risk Assessment Risk Response
Reporting
Risk
Control Selection Control Design Control Implementation Control Testing &
Identification &
Remediation
Prioritization
Internal Control Framework
Policies, Standards, Procedures
Organization Structure
Create Entity
Type(s)
Create Entities
Create Test
Templates
Create Engagement
Awaiting
Scope Validate Fieldwork Follow Up Closed
Approval
• Number
• Control Objective
• Short description
• Duration
• Design expectation
• Design assessment procedures
• Operation expectations
• Operation assessment procedures
• Number
• Control
• Test Template
• Short description
• Duration
• Design expectation
• Design assessment procedures
• Operation expectations
• Operation assessment procedures
Work In
Open Review Closed
Progress
• Primary Contact
• Other Contacts
• Execution Steps
• Explanation
• Additional Information
• Results
• Design effectiveness
– None
– Effective
– Ineffective
• Design expectations
• Design assessment procedures
• Design results
• Operation effectiveness
– None
– Effective
– Ineffective
• Operation expectations
• Operation assessment procedures
• Operation results